Change the Status of an Investigation

When you click a link value in an Investigation in the Burndown tab to create the first pivot or create a new investigation from scratch by creating the first pivot, that investigation is marked as Open. This page describes options for changing the status of an investigation.

Escalate an investigation

If you are stumped in pursuing an investigation and want to hand it off to a more experienced analyst or someone with specialized knowledge, set the status to Escalated. When you escalate an investigation, Investigation Workflow will prompt you for:

Reason for Escalation. Short description of why you are escalating the investigation.

Assignee. Name of the analyst to whom you want to assign the investigation.

Tier. The support tier to which you want to escalate the investigation.

Shelve an investigation

If you are stopping work on an open investigation and are not going to escalate it, you can Shelve it. The investigation will remain active. Marking it Shelved lets other users know that the Investigation is not currently being worked on. When you shelve an investigation, you are prompted for:

Blockers. Short description of the problems preventing forward progress.

Reason for Shelving. Why you are shelving the investigation, for instance because you have been pulled off on another project.

Close an investigation

When you complete your work on an Investigation, you should mark it as Closed. You will be prompted for:

Investigation Summary and Priority. Update these fields.

Reason for Closing. Explanation of why you are closing the investigation.

Recommended Actions. Description of any recommended actions to take in response to the incident.

After you close an investigation, it still appears in the Burndown tab. You can view it by clicking the eye icon in the left column in the Burndown tab.

Re-open an investigation.

If new evidence comes to light after an investigation is closed, you can reopen it. When you reopen an investigation, you will be prompted for:

Reason for Reopening. Description of why you are reopening the investigation.

Priority. Updated Investigation Priority.

Mark an investigation as a duplicate

You can close an investigation by marking it as a duplicate of another investigation. You will be prompted for:

Duplicated Investigation. Select the Investigation which the current one duplicates.

Drop an Investigation

If you have started an investigation but intend not to work on it anymore, you can mark it as Dropped. You will be prompted for:

Reason for Dropping. Description of why you are dropping the investigation. The analyst will be asked to describe why they are dropping the Investigation.

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.